Security Policy

Last updated: 5 April 2026

Infrastructure Security

Application Security

• Authentication: JWT tokens with HS256 signing, 7-day expiry, httpOnly cookies
• Authorization: Role-based access control (SuperAdmin, Admin, Manager, Customer)
• Tenant isolation: All database queries are tenant-scoped via Prisma middleware
• Input validation: Zod schema validation on all API boundaries
• XSS prevention: React auto-escaping, no dangerouslySetInnerHTML on user data
• CSRF: SameSite cookie policy + origin verification
• Rate limiting: API endpoints rate-limited per tenant

Security Headers

• X-Frame-Options: DENY
• X-Content-Type-Options: nosniff
• Strict-Transport-Security: max-age=63072000
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy: camera=(), microphone=(), geolocation=()

Data Encryption

• In transit: TLS 1.3 for all connections
• At rest: AES-256 encryption on database storage (Neon)
• Secrets: Environment variables, never committed to source control
• Passwords: bcrypt with 12 salt rounds

Incident Response

1. Detection — automated monitoring + alerting
2. Containment — isolate affected systems within 1 hour
3. Notification — ICO within 72 hours, affected users without undue delay
4. Recovery — restore from backups, patch vulnerability
5. Post-mortem — root cause analysis within 7 days

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

• Email: security@authentifactor.com
• Do not publicly disclose the vulnerability until we have resolved it
• We will acknowledge receipt within 24 hours and provide a timeline

Compliance

• UK GDPR / Data Protection Act 2018
• EU GDPR
• CCPA (California)
• PCI DSS (via Stripe/Paystack — we never handle card data directly)